dcfldd
forensic disk imaging tool with hashing
TLDR
Create disk image with progress
SYNOPSIS
dcfldd [options]
DESCRIPTION
dcfldd is an enhanced version of GNU dd developed by the Department of Defense Computer Forensics Lab (DCFL). It adds features critical for forensic imaging, including on-the-fly hashing, status output, split output, and verification.
The tool can compute multiple hash types (MD5, SHA1, SHA256, etc.) while copying, ensuring data integrity. It supports writing to multiple outputs simultaneously for creating duplicate forensic images.
dcfldd provides progress output during copying, addressing one of dd's most common complaints. It's widely used in digital forensics, incident response, and data recovery operations.
PARAMETERS
if= file
Input file or device.of= file
Output file (can specify multiple).vf= file
Verify file against input.hash= types
Hash algorithm(s) (md5, sha1, sha256, sha384, sha512).hashlog= file
Write hash to file.hashwindow= n
Hash every n bytes.pattern= hex
Fill pattern for wiping.split= size
Split output at size intervals.splitformat= fmt
Split file suffix format.statusinterval= n
Show status every n blocks.bs= size
Block size for read/write.count= n
Copy only n blocks.skip= n
Skip n blocks at start of input.seek= n
Skip n blocks at start of output.conv= options
Conversion options (noerror, sync, etc.).
CAVEATS
Slower than dd due to hashing overhead. Hash verification requires reading data twice. Forensic imaging should use write blockers on source media. Some features may behave differently than standard dd.
HISTORY
dcfldd was developed by Nick Harbour at the Department of Defense Computer Forensics Laboratory (DCFL) in the early 2000s. It was created to address the needs of forensic investigators who required verifiable, documented disk imaging capabilities. The tool became a standard in digital forensics training and practice.